Description
FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0.
Published: 2026-04-03
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: Command Injection enabling arbitrary command execution on Windows servers
Action: Immediate Patch
AI Analysis

Impact

The FastMCP framework processes server names as parameters when installing command‐line interfaces. On Windows the install commands invoke subprocess.run() with a list argument, but the target CLI resolves to a .cmd wrapper that is executed by cmd.exe. When a server name contains shell metacharacters such as &, the flattened command string is interpreted by cmd.exe, allowing injected commands to be executed. This constitutes a CWE‑78 command‑injection vulnerability that can lead to arbitrary program execution on the host running FastMCP.

Affected Systems

FastMCP, a framework maintained by jlowin, is affected in all releases prior to version 3.2.0. Servers running FastMCP that use the "fastmcp install claude-code" or "fastmcp install gemini-cli" commands with server names containing shell metacharacters are vulnerable. The vulnerability is limited to Windows platforms where the .cmd wrapper is used.

Risk and Exploitability

The vulnerability carries a CVSS v3 score of 6.7, indicating moderate severity. The EPSS metric is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it may not have known public exploits yet. An attacker would need the ability to supply or influence the server name used in the install command, which is typically a local configuration responsibility. If such control can be obtained, injected commands would run with the privileges of the FastMCP process, potentially elevating to full system compromise. The attack vector is local Windows command execution stemming from improper sanitization of input parameters.

Generated by OpenCVE AI on April 3, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastMCP to version 3.2.0 or later.
  • If an upgrade is not immediately possible, ensure that any server names used in install commands contain no shell metacharacters and are properly sanitized before passing to FastMCP.
  • Restrict the ability to modify server names to trusted administrators only.
  • Monitor system logs for unexpected execution of install commands or unusual shell activity.
  • Apply general best practices for input validation and least privilege for processes that invoke command‑line tools.

Generated by OpenCVE AI on April 3, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m8x7-r2rg-vh5g FastMCP has a Command Injection vulnerability - Gemini CLI
History

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Jlowin
Jlowin fastmcp
Vendors & Products Jlowin
Jlowin fastmcp

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, server names containing shell metacharacters (e.g., &) can cause command injection on Windows when passed to fastmcp install claude-code or fastmcp install gemini-cli. These install paths use subprocess.run() with a list argument, but on Windows the target CLIs often resolve to .cmd wrappers that are executed through cmd.exe, which interprets metacharacters in the flattened command string. This issue has been patched in version 3.2.0.
Title FastMCP has a Command Injection vulnerability - Gemini CLI
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Jlowin Fastmcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:12:58.401Z

Reserved: 2025-10-30T17:40:52.030Z

Link: CVE-2025-64340

cve-icon Vulnrichment

Updated: 2026-04-03T16:12:01.061Z

cve-icon NVD

Status : Received

Published: 2026-04-03T16:16:23.010

Modified: 2026-04-03T16:16:23.010

Link: CVE-2025-64340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:15:21Z

Weaknesses